While perusing through our filters in attempt to find the inevitable love and hearts themed spam and malware campaigns, amongst the tons of Valentine's Day themed pharma spam, I noticed a malware campaign leveraging a site called Booking[dot]com. Booking is a company owned by a more familiar brand by the name of Priceline[dot]com, and as you can imagine, helps visitors find good deals on hotel stays. This is the first time I've noticed these guys be used as a cover for malicious activity, but it makes sense.

The emails arrive as a hotel confirmation for the Adobe Inn. After a Google search, it seems that this could be referring to any of many hotels sharing this name. The email is dated Tuesday, 14 February 12, which I'm assuming the 12 part is supposed to mean 2012, and the reservation is for arrival on Sunday, 19 February 12.

Anyone receiving this email may be tricked into believing that even though they know they didn't make this reservation, that perhaps their Valentine's sweetie had something romantic planned. Curiosity just may lead them into sneaking a peek into what their surprise may be. In order to be fooled though, they will have to overlook some HTML formatting that accidentally shows up in the email itself, the strange date format, as well as the lack of any personalization.

After the attachment "BookingCom_Reservation_Details_407498209[dot]zip" is executed, the malware is released onto the target system. The original file seems to just disappear, as the real work is done behind the scenes. The malware installs a version of a company by the name of Trusteer's software which is called Rapport. This is done just before a couple of services are installed by the name of RPService[dot]exe and RPXService[dot]exe which are meant to monitor transactions made through the Rapport software.

Rapport is offered as a free download to customers of many major banks and money market firms including RBS, Bank of America, Synovus, HSBC, PayPal, Merril Lynch, and many more. It is meant to keep all transactions safe and secret while banking with these institutions. During sensitive account activity the software even places its Trusteer logo in the address bar of the browser to show that is working, much like the lock that we've grown accustomed to seeing when we're making an encrypted HTTPS connection.

This means that now that any of the affected PCs attempt to connect to any of these banking websites, the Rogue Rapport software will run, as will the malware meant to monitor and record everything that it does. Afterwards the malicious software ships off its newly collected account and password information to the malware's author.Keep love in your heart and be not afraid though, as AppRiver is currently blocking all known variants of this malware. Happy Valentine's Day!Read More